On September 18, 2018, more than a month after we published a
blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit, possibly in the wild, that uses the same vulnerability. It’s important to note that this exploit doesn’t work on systems with updated Internet Explorer versions.
Instead of modifying the CONTEXT structure of NtContinue to execute shellcode, such as in the case of the previous exploit sample, this new sample obtains execution permission from
Shell.Application by modifying the
SafeMode flag in the VBScript Engine. The execution of this exploit is similar to that of CVE-2014-6332 and CVE-2016-0189.